Goals

The goal is to revoke a CRLG certificate from the SCMS System.

Background and Strategic Fit

A CRL Generator (CRLG) can only be revoked by a root CA.  In a situation where a CRLG has been compromised or has failed, the TCotSCMSM must activate a root CA and use it to sign a Series 256 CRL listing the compromised CRLG as revoked.  This file must then be copied to the CRL Store for distribution to all components.

On receipt of a CRL signed by a root CA and listing a CRLG as revoked, the CRL Store must create a new composite CRL that contains:

  1. All non-expired, Elector-signed, root-management messages
  2. The new root CA signed CRL listing a CRLG as revoked
  3. Any other non-expired root CA signed CRLs
  4. Any CRLs signed by other, no-revoked, non-expired CRLGs

This new composite CRL shall be distributed to all components.  

The MA shall no longer the use revoked CRLG to sign CRLs (the procedure for adding a new CRLG will update the MA with the address and TLS certificate of the new CRLG).

Assumptions

  • In the SCMS design, there may be more than one CRLG.  However, for the Proof of Concept (PoC) deployment, there will be a single, central CRLG.  
  • The SCMS requires a valid CRLG in order to sustain operation. If the only active CRLG is revoked, the TCotSCMSM must initiate the process of adding a new CRLG (or re-certifying the existing CRLG) using the procedure described in the Add CRLG use case.
  • After receipt of the new CRL signed by a root CA listing a CRLG as revoked, all components and EE shall cease to process any CRL signed by the revoked CRLG.  
  • Components will have no reliable way to know the sequence in which valid or fraudulent revocation messages were created. Therefore, there is no effective way to "un-revoke" components previously placed on the CRL by a compromised CRLG. All previously revoked components will need to be re-certified with new certificates in order to restore trust.
  • The procedure for interacting with the CRL Store and assembling a new composite CRL is implementation specific.  There are no standard SCMS messages or procedures for performing this function.  

Attachments:

Untitled18.png (image/png)